安全和灵活的跨域会话 [英] Secure and Flexible Cross-Domain Sessions

问题描述

我遇到一个问题，希望您能帮忙。假设我为一个名为Blammo的假设公司工作，我们有一个名为Log的假设产品。我试图建立一个系统，有人可以登录logfromblammo.com和订购我们的一些产品，然后当他们准备购买去checkout.blammo.com支付他们的订单。最终，我想允许Blammo推出一个新的假设产品，它自己的网站：rockfromblammo.com，并让该网站也能够与checkout.blammo.com共享一个会话，以便用户可以有一个单一的购物车跨产品网站。

当然，上述的假设情况并不是我公司的实际工作，但它是我需要做的一个很好的例子。我们有一个现有的用户数据库，我们有办法验证任何我们的网站上的我们的用户，但我的目标是允许用户无缝地从一个网站到另一个，而无需重新验证。

我已经（简要地）查看了OpenID等解决方案，但我需要以便能够将我们所拥有的任何解决方案与我们现有的认证方法相结合，这是不可靠的。

解决方案

你可以做的是创建交叉

最简单的方法是通过查询字符串传递会话ID。

  http://whateverblammo.com/?sessid=XXYYZZ 
  pre> 
 
 
在开始认为任何人都可以捕获这些信息之前，请考虑您的Cookie是如何传输的;假设你没有使用SSL，那么点击网络的人没有什么区别。
 
 
 
这并不意味着它是安全的;对于一个，用户可能会意外地复制/粘贴地址栏，从而泄漏出他们的会话。要限制此曝光，您可以在收到会话ID后立即重定向到该网页。
 
 
 
请注意，使用 mcrypt c $ c>对会话id不会有什么帮助，因为它不是价值的可见性的问题;会话劫持不关心底层的值，只是它的可重复性的url。
 
 
 
你必须确保id只能使用一次;这可以通过创建一个跟踪使用计数的会话变量来完成：
  $ _ SESSION ['extids'] = array （）; 
 
 $ ext = md5（uniqid（mt_rand（），true））; //只是一个半随机diddy 
 $ _SESSION ['extids'] [$ ext] = 1; 
 
 $ link ='http：// othersite /？'。 http_build_query（'sessid'=> session_id（）。' - '。$ ext）; 
  
收到时：
  list（$ sid，$ ext）= explode（' - '，$ _GET ['sessid']）; 
 session_id（$ sid）; 
 session_start（）; 
 if（isset（$ _ SESSION ['extids'] [$ ext]））{
 //好吧，确保不能再次使用
 unset（$ _ SESSION ['extids '] [$ ext]）; 
} 
  
您需要这些链接每次交叉，因为会话可能自上次以来已重新生成。
 
I am having an issue that I hope you can help with. Let's say I work for a hypothetical company called "Blammo", and we have a hypothetical product called "Log". I am trying to set up a system where someone could log in to logfromblammo.com and order some of our products, and then when they are ready to purchase go to checkout.blammo.com to pay for their order. Eventually I want to allow for Blammo to launch a new hypothetical product with it's own website: rockfromblammo.com, and have that site also able to share a session with checkout.blammo.com so that users can have a single shopping cart across both product websites.

Naturally the hypothetical scenario described above is not how my company actually works, but it is a fair example of what I need to do. We have an existing user database, and we have ways to authenticate any of our users on any of our sites, but the goal I have is to allow users to cross seamlessly from one site to another without having to re-authenticate. This would also allow for us to seamlessly transfer data such as a shopping cart to the checkout site.

I have (briefly) looked at solutions such as OpenID, but I need to be able to integrate whatever solution we have with our existing authentication method, which is not terribly robust. Is there any good way to do this through PHP alone?
解决方案
What you could do is create "cross-over" links between the sites to carry the session over.

The simplest way is to pass the session id via the query string; e.g.
http://whateverblammo.com/?sessid=XXYYZZ
Before you start thinking that anyone can trap that information, think about how your cookies are transferred; assuming you're not using SSL, there's not much difference for someone who taps the network.

That doesn't mean it's safe; for one, users could accidentally copy/paste the address bar and thus leaking out their session. To limit this exposure, you could immediately redirect to a page without the session id after receiving it.

Note that using mcrypt() on the session id won't help much, because it's not the visibility of the value that's the problem; session hijacking doesn't care about the underlying value, only its reproducibility of the url.

You have to make sure the id can be used only once; this can be done by creating a session variable that keeps track of the use count:
$_SESSION['extids'] = array();

$ext = md5(uniqid(mt_rand(), true)); // just a semi random diddy
$_SESSION['extids'][$ext] = 1;

$link = 'http://othersite/?' . http_build_query('sessid' => session_id() . '-' . $ext);
When received:
list($sid, $ext) = explode('-', $_GET['sessid']);
session_id($sid);
session_start();
if (isset($_SESSION['extids'][$ext])) {
    // okay, make sure it can't be used again
    unset($_SESSION['extids'][$ext]);
}
You need these links every time a boundary is crossed, because the session may have gotten regenerated since the last time.

                        
这篇关于安全和灵活的跨域会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！